Why Does Password Strength and Complexity Matter?

It’s worth taking a moment to review why password length/complexity are so important, and why password re-use is so very, very bad. When you create a username and password combination, the server responsible for performing the authentication stores your password in an encrypted format called a “hash.” When you authenticate, the application you use takes the password you enter and performs the same hashing operation, and then the server compares the two hashes. If the hashes match, you are granted access.

How Hackers Get Your Password

When attackers steal the credentials list from a server, they normally only obtain the hashes of passwords – not the passwords themselves. To “crack” a password, the attacker needs to determine what character string, when passed through the hashing algorithm, will produce the matching hash. The two primary methods to crack passwords are brute-force and dictionary attacks. In a brute-force attack, the cracking computer tries every combination of all letters, numbers and special characters. Each combination is put through the hashing algorithm and compared against the list of hashes.  Even when using all character varieties, cracking a password of seven characters or less is trivial for modern desktop computers. But each additional character dramatically increases the number of possible combinations, especially if the password uses the full character set. 

Dictionary attacks play upon our tendency to pick passwords that are combinations of words or variations thereof. The cracking machine simply tries combinations of all the words in a dictionary file, often “mangling” them to overcome common practices like substituting “@” for “a” and “!” for “I.”

How Much Password Complexity Do You Need?

So how much length and complexity is enough? Ideally, the answer is “as long and complex as the site will allow.” Advances in cloud computing have made it inexpensive for attackers to rent incredibly powerful hash-cracking beasts. A physical computer that would cost over $20,000 to purchase can be had for $7.20 an hour in Amazon’s EC2 cloud.  So you create an incredible password for your bank account, something like “d8$k24Vs(&3i90q0i6%x7?jsq1wn^DP7Qe2.” You even manage to memorize this thing of beauty. But that was hard, and you are not Rain Man. So you re-use this password when you create your account at redneckbaitshop.com. 

Bubba, the proprietor and chief worm farmer at redneckbaitshop.com, decided to build his own e-commerce site, and he stores all credentials without encryption. Not surprisingly, redneckbaitshop.com is hacked and attackers steal the credentials list. Within minutes, the attackers are trying every username and password combination on all the major banking sites – including yours. That beautiful password you created is now used against you to drain your life savings.

PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.